artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 45f5f3c)
Revert 1.32
authorjob <job@openbsd.org>
Mon, 24 Apr 2023 08:09:29 +0000 (08:09 +0000)
committerjob <job@openbsd.org>
Mon, 24 Apr 2023 08:09:29 +0000 (08:09 +0000)
jsing@ noted that ASN1_OP_D2I_POST might not be the best place to
introduce this check (as could lead to pushing errors
(ASN1_R_AUX_ERROR) onto the stack). Additionally, without matching
validation on the encoding side brittleness is introduced.

lib/libcrypto/asn1/x_x509.c patch | blob | history

diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c
index 87b7148..df66153 100644 (file)
--- a/lib/libcrypto/asn1/x_x509.c
+++ b/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.32 2023/04/23 21:31:16 job Exp $ */
+/* $OpenBSD: x_x509.c,v 1.33 2023/04/24 08:09:29 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -195,34 +194,10 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
                CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
                break;
 
-       case ASN1_OP_D2I_POST: {
-               const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL;
-               long version;
-
-               version = X509_get_version(ret);
-               /* accept 0 despite DER requiring omission of default values */
-               if (version < 0 || version > 2) {
-                       X509error(X509_R_INVALID_VERSION);
-                       return 0;
-               }
-
-               /* RFC 5280 section 4.1.2.8, these fields require v2 or v3 */
-               X509_get0_uids(ret, &issuerUID, &subjectUID);
-               if ((issuerUID != NULL || subjectUID != NULL) && version == 0) {
-                       X509error(X509_R_INVALID_VERSION);
-                       return 0;
-               }
-
-               /* RFC 5280 section 4.1.2.9, extensions require v3. */
-               if (X509_get_ext_count(ret) != 0 && version != 2) {
-                       X509error(X509_R_INVALID_VERSION);
-                       return 0;
-               }
-
+       case ASN1_OP_D2I_POST:
                free(ret->name);
                ret->name = X509_NAME_oneline(ret->cert_info->subject, NULL, 0);
                break;
-       }
 
        case ASN1_OP_FREE_POST:
                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
OpenBSD src
by Ahmet Artu Yildirim